new one

Author: anthony-nhs

.devcontainer/Dockerfile

@@ -1,5 +1,6 @@
 ARG IMAGE_VERSION=latest
-FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${IMAGE_VERSION}
+ARG IMAGE=node_24_python_3_14
+FROM ghcr.io/nhsdigital/eps-devcontainers/${IMAGE}:${IMAGE_VERSION}
 
 USER root
 # specify DOCKER_GID to force container docker group id to match host
@@ -12,4 +13,10 @@ RUN if [ -n "${DOCKER_GID}" ]; then \
     usermod -aG docker vscode; \
     fi
 
+# fix vscode user back to 1000
+RUN usermod -u 1000 vscode; \
+    groupmod -g 1000 vscode; \
+    chown -R vscode:vscode /home/vscode
+
+RUN rm -rf /home/vscode/.ssh
 USER vscode

.devcontainer/devcontainer.json

@@ -1,15 +1,14 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the
-// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
   "name": "Ubuntu",
-  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
   "build": {
     "dockerfile": "Dockerfile",
     "context": "..",
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
-      "IMAGE_VERSION": "v1.0.1" // This arg is used in the Dockerfile to specify the base image version     }
+      "IMAGE_VERSION": "pr-16-69b4bfb",
+      "IMAGE": "node_24_python_3_14"
     },
+    "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
     "mounts": [
       "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
       "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
@@ -43,3 +42,4 @@
       }
     }
   }
+}

.github/workflows/pull_request.yml

@@ -16,11 +16,12 @@ jobs:
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
   pr_title_format_check:
     uses: ./.github/workflows/pr_title_check.yml
-  get_asdf_version:
+  get_config_values:
     runs-on: ubuntu-22.04
     outputs:
       asdf_version: ${{ steps.asdf-version.outputs.version }}
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -32,21 +33,22 @@ jobs:
         id: load-config
         run: |
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+          echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT"
   quality_checks:
     uses: ./.github/workflows/quality-checks.yml
-    needs: [get_asdf_version]
+    needs: [get_config_values]
     with:
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
-      runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1"
+      runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   tag_release:
-    needs: [quality_checks, get_asdf_version]
+    needs: [quality_checks, get_config_values]
     uses: ./.github/workflows/tag-release.yml
     with:
       dry_run: true
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      asdfVersion: ${{ needs.get_config_values.outputs.asdf_version }}
       branch_name: ${{ github.event.pull_request.head.ref }}
-      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
     secrets: inherit

.github/workflows/quality-checks.yml

@@ -6,23 +6,11 @@ on:
       SONAR_TOKEN:
         required: false
     inputs:
-      install_java:
-        type: boolean
-        description: "If true, the action will install java into the runner, separately from ASDF."
-        default: false
-        required: false
       run_sonar:
         type: boolean
         description: Toggle to run sonar code analyis on this repository.
         default: true
         required: false
-      asdfVersion:
-        type: string
-        required: true
-      reinstall_poetry:
-        type: boolean
-        description: Toggle to reinstall poetry on top of python version installed by asdf.
-        default: false
       run_docker_scan:
         type: boolean
         description: Toggle to run docker vulnerability scan on this repository.
@@ -44,12 +32,6 @@ jobs:
       image: ${{ inputs.runtime_docker_image }}
       options: --user 1000:1000
     steps:
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
-        if: ${{ inputs.install_java }}
-        with:
-          java-version: "21"
-          distribution: "corretto"
-
       - &checkout
         name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

.github/workflows/release.yml

@@ -8,11 +8,12 @@ env:
   BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }}
 
 jobs:
-  get_asdf_version:
+  get_config_values:
     runs-on: ubuntu-22.04
     outputs:
       asdf_version: ${{ steps.asdf-version.outputs.version }}
       tag_format: ${{ steps.load-config.outputs.TAG_FORMAT }}
+      devcontainer_version: ${{ steps.load-config.outputs.DEVCONTAINER_VERSION }}
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -24,21 +25,22 @@ jobs:
         id: load-config
         run: |
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
+          DEVCONTAINER_VERSION=$(jq -r '.build.args.IMAGE_VERSION' .devcontainer/devcontainer.json)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
+          echo "DEVCONTAINER_VERSION=$DEVCONTAINER_VERSION" >> "$GITHUB_OUTPUT"
   quality_checks:
-    needs: [get_asdf_version]
+    needs: [get_config_values]
     uses: ./.github/workflows/quality-checks.yml
     with:
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
-      runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:v1.0.1"
+      runtime_docker_image: "ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${{ needs.get_config_values.outputs.devcontainer_version }}"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
   tag_release:
-    needs: [quality_checks, get_asdf_version]
+    needs: [quality_checks, get_config_values]
     uses: ./.github/workflows/tag-release.yml
     with:
       dry_run: false
-      asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      asdfVersion: ${{ needs.get_config_values.outputs.asdf_version }}
       branch_name: main
-      tag_format: ${{ needs.get_asdf_version.outputs.tag_format }}
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
     secrets: inherit